system nicht sauber - wie ? erbitte Hilfe
 

Hallo in die Runde und bitte um Eure Info und Hilfe.

Schon im voraus einen besten Dank.

Spybot + Ad-aware - sowie AntiVir 9x reichen anscheinend nicht - daher :

escan durchgeführt - was ist nun zu tun / wie zu löschen damit das System endlich wieder sauber ist:

Thu Apr 14 20:33:13 2005 => ***** Scanning complete. *****



Thu Apr 14 20:33:13 2005 => Total Objects Scanned: 31606

Thu Apr 14 20:33:13 2005 => Total Virus(es) Found: 7

Thu Apr 14 20:33:13 2005 => Total Disinfected Files: 0

Thu Apr 14 20:33:13 2005 => Total Files Renamed: 0

Thu Apr 14 20:33:13 2005 => Total Deleted Objects: 0

Thu Apr 14 20:33:13 2005 => Total Errors: 11

Thu Apr 14 20:33:13 2005 => Time Elapsed: 00:37:20

Thu Apr 14 20:33:13 2005 => Virus Database Date: 2005/04/13

Thu Apr 14 20:33:13 2005 => Virus Database Count: 125667



Thu Apr 14 20:33:13 2005 => Scan Completed.



Details zu Funden:

[msvLclnt.dll] [0xfffd5e89] 14/04/2005 19:52:30:390 :ModuleName = C:\BASES_X\MWAVSCAN.COM

[msvLclnt.dll] [0xfffd5e89] 14/04/2005 19:52:30:390 :Registry Key Deleted Properly!!!

[msvLclnt.dll] [0xfffd5e89] 14/04/2005 19:52:34:460 :Options Set by External applications MWAVSCAN.COM are 9896960 (0x970400):

[msvLclnt.dll] [0xfffd5e89] 14/04/2005 19:52:34:460 :Mode :PACKED,ARCHIVED,CA,WARNINGS,MAILPLAIN

[msvLclnt.dll] [0xfffd5e89] 14/04/2005 19:52:34:460 :TimeOut : ffffffff

[msvLclnt.dll] [0xfffd5e89] 14/04/2005 19:52:34:460 :Priority : NORMAL

[msvLclnt.dll] [0xfffd5e89] 14/04/2005 19:52:35:220 :VirusCount = 125667 Latest Date = 2005/04/13

[msvLclnt.dll] [0xfffc8305] 14/04/2005 20:07:05:740 :[00000001] File C:\WINDOWS\TWAIN_32\stdsc\unreg.exe infected by not-a-virus:Tool.Win32.Reboot

[msvLclnt.dll] [0xfffc8305] 14/04/2005 20:12:56:380 :[00000001] File C:\Programme\KaZaA\My Shared Folder\kmd171_de.exe infected by not-a-virus:AdWare.Cydoor

[msvLclnt.dll] [0xfffc8305] 14/04/2005 20:16:12:250 :[00000001] File C:\Programme\YAW 3.5\Quarantäne\305675681.dat.file infected by not-a-virus:Porn-Dialer.Win32.OnlineDialer

[msvLclnt.dll] [0xfffc8305] 14/04/2005 20:25:28:530 :[00000001] File C:\Eigene Dateien\z vorsicht kazaa kopie nicht ausgeführt\kmd171_de.exe infected by not-a-virus:AdWare.Cydoor

[msvLclnt.dll] [0xfffc8305] 14/04/2005 20:31:43:340 :[00000001] File C:\temp for install\yahoo messenger 021119\ymsgrde5.exe infected by not-a-virus:Tool.Win32.Reboot

[msvLclnt.dll] [0xfffc8305] 14/04/2005 20:32:25:860 :[00000001] File C:\winlog.html infected by Trojan.JS.Fav

[msvLclnt.dll] [0xfffc8305] 14/04/2005 20:33:13:200 :VirusCount = 125667 Latest Date = 2005/04/13

[msvLclnt.dll] [0xfffd5e89] 14/04/2005 20:35:34:640 :VirusCount = 125667 Latest Date = 2005/04/13

----------------------------

Hijackthis ergab danach folgendes:

Logfile of HijackThis v1.99.0

Scan saved at 20:38:39, on 14.04.2005

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAMME\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von CompuServe

O1 - Hosts: 193.125.201.50 ie.search.msn.com

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [IrMon] irmon.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE

O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe

O4 - HKLM\..\Run: [ChrontelInitTV] CHTVINIT.EXE

O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe

O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAMME\WINAMP\WINAMPa.exe"

O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min

O4 - HKLM\..\Run: [Trojancheck 6 Guard] C:\PROGRAMME\TROJANCHECK 6\TCGUARD.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Programme\Norton CleanSweep\CSINJECT.EXE

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service

O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKCU\..\Run: [YAW starten] "C:\PROGRAMME\YAW 3.5\yawguard.exe"

O4 - HKCU\..\RunServices: [YAW starten] "C:\PROGRAMME\YAW 3.5\yawguard.exe"

O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Programme\Norton CleanSweep\csinsm32.exe

O4 - Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE

O4 - Startup: Microsoft-Indexerstellung.lnk = C:\Programme\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE

O4 - Startup: Encoder Agent.lnk = C:\Programme\Windows Media Components\Encoder\WMENCAGT.EXE

O4 - Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Programme\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Programme\Zone Labs\ZoneAlarm\zonealarm.exe

O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Programme\NetShow Services\Tools\nsppthlp.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAMME\YAHOO!\MESSENGER\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAMME\YAHOO!\MESSENGER\YPAGER.EXE

O14 - IERESET.INF: START_PAGE_URL=http://www.compuserve.de/

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.sc5.yahoo.com/v45/yacscom.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1,192.168.1.1

---------------

Greetings
klicker

Hi klicker

folgende dateien im abgesicherten Modus ( bei deaktivierter systemwiederherstellung ) löschen

C:\Programme\KaZaA\My Shared Folder\kmd171_de.exe
C:\Programme\YAW 3.5\Quarantäne\305675681.dat <-- solltest du mal auf diskette sichern mittels beweis bei hohen telefonkosten
C:\Eigene Dateien\z vorsicht kazaa kopie nicht ausgeführt\kmd171_de.exe



folgende Einträge mit HJT fixen:

O1 - Hosts: 193.125.201.50 ie.search.msn.com

neu booten neues HJT posten